A provider of radiation therapy and cancer treatment has agreed to pay a $2.3 million fine for a data breach it suffered back in 2015.

On 11 December, the United States Bankruptcy Court in the Southern District of New York received an order (PDF) approving a settlement agreement that pertains to 21st Century Oncology. The agreement stipulates that the cancer treatment provider will pay $2.3 million to the Office for Civil Rights (OCR) at the U.S. Department of Health & Human Services for a security incident it suffered several years ago.

Forensic evidence indicates that the intrusion took place on 3 October 2015 when an unauthorized third party gained access to a database maintained by 21st Century Oncology. It’s believed those actors subsequently viewed the personal information including the names, Social Security Numbers, and medical information of 2.2 million patients.

The cancer treatment provider, which operates in the United States and Latin America, learned of the breach about a month later from the FBI. At that time, it took steps to enhance the security protocols of its systems. It also reached out to affected individuals and offered them free identity theft protection for a year.

21st Century Oncology ultimately went public about the incident in March 2016.

In addition to paying the $2.2 million fine, the debtor has agreed to appoint a compliance officer, set up internal breach reporting policies, revise its security policies, and perform a risk analysis. It’s also bound by another settlement agreement filed in Florida where patients affected by the breach can apply for reimbursement from 21st Century Oncology’s digital security insurance policy.